In the absence of legislation on data protection, the government has used existing and proposed laws as well as court judgments to carve out a policy to safeguard patient data recorded in the unique digital health ID under the newly launched National Digital Health Mission.
Two policies — one to manage and share patient data based on their consent, and another to ensure its security — are currently in the process of approvals, according to Dr Indu Bhushan, CEO of the National Health Authority (NHA) which will implement the NDHM.
Its launch was announced by the Prime Minister in his Independence Day address to the nation from the ramparts of the Red Fort.
In an interview to The Indian Express, Bhushan said the mission follows a “privacy by design” approach to ensure that standards followed to protect patient information and their privacy are “of the highest nature”.
“While we may not have the (data protection) law, we have a draft Personal Data Protection (Bill), and we also have various Supreme Court judgments on data privacy and data security. Some of them came in the context of Aadhaar, which are also like laws, and then we also have the IT Act, which also has many other provisions about how data should be obtained, stored and used,” he said.
“Based on that, we have prepared a data management policy, which… defines consent, defines how the data will be stored (and) how the data will be used. All that is there, and they are all aligned to international standards in terms of data, privacy and security,” he said.
“The kind of standards we are following here are of the highest nature. We are following what we call privacy by design — it’s not that we build a system and then look for privacy, because we are thinking of… how we can ensure privacy and build our system based on that,” he said.
In September 2018, while upholding the constitutional validity of the Aadhaar Act, the Supreme Court had asked the government to bring a robust data protection law as soon as possible. The government, however, is yet to table a final version of the data protection law in Parliament.
A new version of the Personal Data Protection Bill, which envisages a government-appointed data protection authority, has been criticised by several stakeholders, including Justice BN Srikrishna, who chaired the original committee on data protection that had released the first draft of the Bill.
“This is a new field, and we are doing the best, based on whatever the latest technology is, and the latest thinking in data privacy. I am quite confident that our norms and protocols will measure up to the best and latest standards in the world,” Bhushan said.
According to Bhushan, the upcoming Health Data Management Policy as well as the Policy on Security of Health Systems are going to improve on the existing framework to collect, store and protect patient data “in a big way”. They are expected to ensure that patient data currently stored by various hospitals is supported by a strong policy framework.
The health data management policy will ensure that privacy, confidentiality and consent are upheld right from the process of creation of the health IDs, which will follow a “free and informed consent” process. Aadhaar numbers of patients will only be requested once the patient consents to creating the ID.
In order to ensure that this is adhered to, the security policy, Bhushan said, will have in place “strict” norms with “more than 100 checks and balances” related to the kind of firewalls that should be in place and the protocols that should be followed to ensure data protection.
“In our system… (while) seeking consent for sharing data, we give them (patients) the option of sharing only part of the data or full data and also the option of for how much time you want to share it. You can also revoke the consent after giving it. All those features are there,” he said.
“Hospitals are also not allowed to share any of the data that they keep without the consent of the patient, and any data that is shared for policy purposes has to be macro data and has to be anonymised. No personally identifiable information can be shared by any of the hospitals who keep the data,” he said.
While private sector resources will be used to create the infrastructure, the architecture and the way the platforms are to be developed are defined by the government, preventing issues of conflict of interest, he said. The core infrastructure will be owned and controlled by the government.
“All these things are evolving issues. When we say that we’re creating a national digital health ecosystem, data security and privacy are a part of that ecosystem. As the technology will evolve, so will the policy and the approach that we take for protecting people’s privacy,” he said.